hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ima: limit secure boot feedback scope for appraise 

Only emit an unknown/invalid message when setting the IMA appraise mode
to anything other than "enforce", when secureboot is enabled.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
[zohar@linux.ibm.com: updated commit message]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Bruno Meneguele 2020-09-04 22:20:20 -03:00 committed by Mimi Zohar
parent 7fe2bb7e7e
commit e4d7e2df3a
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
security/integrity/ima/ima_appraise.c
View File

@ -19,22 +19,29 @@
static int __init default_appraise_setup(char *str)
{
#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
if (arch_ima_get_secureboot()) {
pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
str);
return 1;
}
bool sb_state = arch_ima_get_secureboot();
int appraisal_state = ima_appraise;
if (strncmp(str, "off", 3) == 0)
ima_appraise = 0;
appraisal_state = 0;
else if (strncmp(str, "log", 3) == 0)
ima_appraise = IMA_APPRAISE_LOG;
appraisal_state = IMA_APPRAISE_LOG;
else if (strncmp(str, "fix", 3) == 0)
ima_appraise = IMA_APPRAISE_FIX;
appraisal_state = IMA_APPRAISE_FIX;
else if (strncmp(str, "enforce", 7) == 0)
ima_appraise = IMA_APPRAISE_ENFORCE;
appraisal_state = IMA_APPRAISE_ENFORCE;
else
pr_err("invalid \"%s\" appraise option", str);
/* If appraisal state was changed, but secure boot is enabled,
* keep its default */
if (sb_state) {
if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
str);
} else {
ima_appraise = appraisal_state;
}
#endif
return 1;
}